The group's mastermind was nabbed in Côte d'Ivoire for stealing up to $30 million using malware, phishing campaigns, and BEC scams, as part of international law enforcement's Operation Nervone.

The suspected top member of the cybercrime group OPERA1ER has been arrested for playing a part in the group stealing up to an estimated $30 million in a variety of scams against financial and telecommunications organizations — including malware, phishing, and business email compromise (BEC).

The group, which also operates under aliases BlueBottle, NX$M$, DESKTOP Group, and Common Raven, is allegedly behind 30 attacks across 15 countries in Africa, Asia, and Latin America, according to Interpol.

Interpol announced that the investigation, code named "Operation Nervone," followed a detailed overview of the group's activities published in November 2022 by Group-IB and Orange S.A. The arrest of the individual, who was not named, entailed extensive cooperation between Interpol, AFRIPOL, Group-IB and Côte d'Ivoire's Direction de l'Information et des Traces Technologiques (DITT), the agency said.

"We have been tracking OPERA1ER since 2019," Dmitry Volkov, CEO at Group-IB, said in a statement provided to Dark Reading. "The success of Operation Nervone exemplifies the importance of threat data exchange, and thanks to our collaboration with Interpol, Orange-CERT-CC, and private and public sector partners, we were collectively able to piece together the whole puzzle."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

OPERA1ER Cybercrime Group's Leader Arrested by Interpol

LockBit 3.0 claims responsibility for the cyberattack that shuttered the largest port in Japan, according to authorities.

Cargo containers filled with imports and exports from all over the world have been stuck at the Port of Nagoya following a ransomware attack on its networks early Tuesday morning.

The port is the largest in Japan and the central shipping hub for international carmaker Toyota. According to its operator, Nagoya Harbor Transportation, it received a ransom demand from LockBit 3.0 after a system failure on Tuesday at 6:30 a.m., the Japan Times reported.

The port authority said it expects to resume operations on Thursday morning.

"We will closely monitor any impact on production while carefully examining the parts inventory," Toyota told the Japan Times.

LockBit 3.0 is a prolific Russian-based ransomware operation used to target organizations, including the Italian Tax Agency.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ransomware Halts Operations at Japan's Port of Nagoya

Now is the time to build safeguards into nascent AI technology.

Are we in a golden age of artificial intelligence? It's tough to make predictions — and probably ill-advised. Who wants to predict the future of such a new technology?

We can, however, say some things for certain. A great deal is being made of AI's application to creative works, from voice acting to first drafts of screenplays. But AI is likely to be most useful when dealing with drudgery. This is good news for developers, if the promise matches early experiments — first drafts of code can be easily created and ready for developers to tweak and iterate upon.

However, it's important to remember that not every coder is working for a legitimate business. Just as cybersecurity threat actors have emulated their targets in becoming more businesslike, they're also adopting new technologies and techniques. We can expect AI to help in the development of malware and other threats in the coming years, whether we're entering a golden age of AI or not.

**Drafting Code and Scams**

One trend we've seen in recent years is a rise of "as-a-service" offerings. Early hackers were tinkerers and mischief-makers, tricking phone systems or causing chaos mostly as an exercise in fun. This has fundamentally changed. Threat actors are professional and often sell their products for others to use.

AI will fit very nicely into this way of working. Able to create code to tackle specific problems, AI can amend code to target vulnerabilities or take existing code and change it, so it's not so easily detected by security measures looking for specific patterns.

But the possibilities for AI's misuse doesn't stop there. Many phishing emails are detected by effective filtering tools and end up in junk folders. Those that do make it to the inbox are often very obviously scams, written so badly they're borderline incomprehensible. But AI could break this pattern, creating thousands of plausible emails that can evade detection and be well-written enough to fool both filters and end users.

Spear-phishing, the more targeted form of this attack, could also be revolutionized by this tech. Sure, it's easy to ignore an email from your boss asking you to wire cash or urgently buy gift cards — cybersecurity training helps employees avoid this sort of scam. But what about a deep-fake phone call or video chat? AI has the potential to take broadcast appearances and podcasts and turn them into a convincing simulacrum, something far harder to ignore.

**Fighting Back Against AI Cyberattacks**

There are two main ways to fight back against the benefits that AI will confer on the enemy — better AI and better training — And both will be necessary.

The advent of this new generation of AI has started a new arms race. As cybercriminals use it to evolve their attacks so will security teams need to use it to evolve their defenses.

Without AI, defenses rely on overworked people and monitoring for certain preprogramed patterns to prevent attacks. AI defensive tools will be able to predict attack vectors and pinpoint sensitive areas of the network and systems. They'll also be able to analyze malicious code, allowing a better understanding of how new attacks work and how they can be prevented.

AI could also work, in a pinch, as an emergency stop — disabling the network upon detecting a breach and locking down the entire system. While not ideal from a business continuity perspective, this could be far less damaging than a data breach.

But fighting AI with AI is not the only answer. We also need human intelligence. No matter how smart and targeted, the best defense against a phishing attack is an employee or customer who knows what to look for and is suspicious enough not to take the bait. Implementing robust security policies and best-practice cyber hygiene will remain key to defending against attacks.

This means that training will need to be updated to include the signs of an AI attack … whatever those might be. Training will need to evolve with AI — a single training course every few years isn't going to cut it anymore when that training is quickly out of date.

While the possible signs of an AI-driven cyberattack are changing rapidly, in general, attacks are:

*   **Fast and scalable**, exploiting multiple vulnerabilities in a short time span.
*   **Adaptive and evasive**, changing tactics and techniques to avoid detection and response.
*   **Targeted and personalized**, using AI to craft convincing phishing emails or social engineering campaigns.
*   **Deceptive and manipulative**, using AI to create fake or altered content such as deepfakes, voice cloning, or text generation.
*   **Stealthy and persistent**, hiding in the network infrastructure for a long time without being noticed.

These signs aren't exhaustive, and some AI-driven attacks may not exhibit all of them. However, they indicate the level of threat that AI poses to cybersecurity.

To effectively fight AI-driven cyberattacks, businesses must think beyond individual bad actors and prepare for coordinated attacks by state-sponsored actors or criminal organizations that may use AI to launch sophisticated campaigns using a risk-based approach. They should also have a proactive strategy that includes regular security audits, backups, encryption, and incident response plans. This is most easily accomplished by obtaining a well-known security certification such as PCI-DSS.

Finally, it's imperative that organizations improve the cybersecurity of their own AI systems by ensuring their integrity, confidentiality, and availability, and by mitigating the risks of adversarial attacks, data poisoning, and model stealing.

These strategies will help protect businesses, but they shouldn't standalone — security should be collaborative. By collaborating with other organizations, researchers, and authorities to share information, best practices, and failures that can be learned from, businesses will be better prepared for the new wave of AI security threats.

AI is both a new threat and a continuation of older threats. Businesses will have to evolve how they tackle cyber threats as these threats become more sophisticated and more numerous, but a lot of the fundamentals remain the same. Getting these right remains critical. Security teams don't need to pivot away from old ideas but build on them to keep their businesses safe.

A Golden Age of AI … or Security Threats?

The ransomware group shows an evolution of its tactics with MOVEit zero-day — potentially ushering in a new normal when it comes to extortion supply chain cyberattacks, experts say.

The MOVEit file transfer zero-day vulnerability, first discovered on June 1, was used to breach at least 160 confirmed victims by June 30. The successful mass extortion campaign represents an evolution of tactics by the Russian-backed Cl0p ransomware group, which experts say is likely to catch the attention of rival threat actors.

Threat researchers note that the MOVEit campaign has some clues about how to respond to future of supply chain cyberattacks for defenders as well.

So far, the breached organizations include a who's who of international brands, like Avast's parent company,  
British Airways, Siemens, UCLA, and more. Reports say the ransomware group pulled off the technically detailed mass exploitation after at least two years of careful development, patiently plotting and planning when and where to strike, armed with the secret flaw in the MOVEit file transfer software.

**Ransomware-Less Ransomware Attacks**

Researchers note a few innovations Cl0p has made between previous exploits and the MOVEit campaign, which are likely to influence other threat groups. For instance, Cl0p has streamlined the extortion business model by doing away with ransomware all together, John Hammond, Huntress security threat researcher explained to Dark Reading.

"From what the industry has seen in \[recent\] Cl0p breaches (namely, GoAnywhere MFT and MOVEit Transfer), they haven't executed ransomware within the target environments," Hammond says. "The operations have strictly been exfiltrating data and using that stolen information for later blackmail and extortion. It's not clear why they opted not to encrypt files."

While it's not clear why Cl0p pivoted, the end result is a ransomware business model without the overhead of trying building better ransomware, he adds.

"Perhaps other cybercrime gangs will follow suit, and the development of ransomware tooling and creating faster malware may fall to the way-side when adversaries can just focus on their real goal of making money," Hammond says.

**Third-Party Zero Day Exploit Providers**

All of that said, if making money was the primary motivation for the MOVEit cyberattacks, the group would have chosen a much simpler approach than investing the time and resources to discover and develop an exploit like the one in MOVEit.

John Fokker, head of threat intelligence with the Trellix Advanced Research Center explained to Dark Reading he thinks he has the answer: The group acquired the zero-day from a third party.

"There are several aspects and factors of this particular cyberattack and vulnerability that are really interesting," John Fokker, head of threat intelligence with the Trellix Advanced Research Center explained to Dark Reading. "The MOVEit vulnerability isn't an easy or straightforward one — it required extensive research into the MOVEit platform to discover, understand, and exploit this vulnerability. The skill set required to uncover and exploit this vulnerability isn't easily trained and is hard to come by in the industry."

He adds, devoting that level of detail to an operation isn't something Cl0p ransomware group usually does, which is another clue leading Fokker and his team to suspect Cl0p acquired the MOVEit zero-day vulnerability rather than developing it from scratch.

"It's definitely a possibility that Cl0p didn't actually discover this zero-day vulnerability and exploit but rather acquired it from a third party," Fokker adds. "We believe with moderate confidence that this was the case, based on what was mentioned above in addition to certain other elements of the attack and leak postings."

**Shoring up the Software Supply Chain Against Future Zero-Day Exploits**

Stopping more sophisticated zero-day supply chain attacks requires investment in proactive efforts, including robust, responsive bug bounty programs funded by software vendors, notes Randy Pargman, director of threat detection with Proofpoint explains.

"There's a huge discrepancy between the amount of money that software vendors are willing to pay for bug bounties versus the amount that zero-day researchers can get from governments and underground markets for their research, so vendors could do better by investing more," Pargman says. "Where software companies can still improve the most is in making it easier for bug bounty hunters to report issues, and treating researchers with respect."

But as Omkhar Arasaratnam, general manager of the Open Source Security Foundation says, what he's more concerned about are reports of panicked responses to the MOVEit exploit among cybersecurity professionals.

"The cybersecurity community should focus on making incidents boring," Arasaratnam says. "When paramedics arrive at an accident scene they do not run around frantically or in a panic. Paramedics deliberately, and stoically execute the procedures that they've learned to gain access, assess the scene, triage, and help effectively. Cybersecurity can take a lesson from paramedics."

Cl0p's MOVEit Campaign Represents a New Era in Cyberattacks

Attackers use HTML smuggling to spread the PlugX RAT in the campaign, which has been ongoing since at least December.

A Chinese threat group has adopted a sneak HTML technique long-used by its counterparts to target European policy-makers, in a campaign aimed at spreading the PlugX remote access Trojan (RAT).

Over the course of the last two months, Check Point Research (CPR) analysts have been tracking the activity, which they've dubbed SmugX because it uses an attack vector called HTML Smuggling — a technique for planting malicious payloads inside HTML documents, the researchers revealed in a report published earlier this week.

The campaign has been ongoing since at least December and appears to have a direct link to a previously reported campaign attributed to Chinese APT RedDelta, as well as the work of Chinese APT Mustang Panda (aka Camaro Dragon or Bronze President), although there is "insufficient evidence" to definitively link SmugX to either group, according to the research.

Moreover, while Check Point separates Mustang Panda and Camaro Dragon into two separate entities, other researchers refer to the two as one and the same; RedDelta, meanwhile, appears to have links to both groups, according to Check Point researchers.

SmugX represents a shift in targeting for Chinese threat actors, which in the past have primarily focused on Russia, Asia, and the US in their threat campaigns, they added. However, a recent campaign linked to Mustang Panda to use USB drives to spread self-propagating espionage malware already indicated that these groups already engaged in threat activity in Europe as part of their global intent.

SmugX targets mainly governmental ministries in Eastern European countries — including Ukraine, the Czech Republic, Slovakia, and Hungary — as well as in Sweden, France, and the UK. Document lures used to dupe victims focus on European domestic and foreign policies, typically impersonating key agencies in the respective country to appear authentic.

**SmugX Cyberattack Details**

SmugX uses as its malware-delivery mechanism HTML documents that contain diplomatic-related content. In more than one case, this content is directly related to China — including an article about two Chinese human rights lawyers sentenced to more than a decade in prison.

Other documents used in the campaign are a letter originating from the Serbian embassy in Budapest; a document stating the priorities of the Swedish Presidency of the Council of the European Union; an invitation to a diplomatic conference issued by Hungary's Ministry of Foreign Affairs.

The malware is embedded within these HTML documents, which allows them to evade network-based detection measures, according to the research.

Opening one of the malicious HTML documents results in the decoding of a JavaScript that includes the embedded payload — which in this case is PlugX, a RAT that has been used by Chinese threat actors since 2008. This sets off a chain of events that eventually leads to the deployment of the RAT, which employs a modular structure that accommodates several diverse plugins with distinct functionalities.

"This enables the attackers to carry out a range of malicious activities on compromised systems, including file theft, screen captures, keystroke logging, and command execution," according to the report.

The PlugX payload ensures its persistence in a process that first copies the legitimate program and the DLL and then stores them within a hidden directory it creates, with the encrypted payload stored in a separate hidden folder. The malware then adds the legitimate program to the Run registry key.

**Defensive Maneuvers Against PlugX, RATs**

Though neither the techniques nor the malware used in the campaign are new, SmugX does present a challenge for targeted organizations because of how it combines different tactics and its likelihood of not easily being detected. This allows "threat actors to stay under the radar for quite a while," according to Check Point.

To help organizations identify if they've been compromised, the report includes an extensive list of indicators of compromise (IoCs) that span HTML addresses, archives, JavaScript snippets, encrypted payload files, IPs and domains, and more.

Employees should always be wary of clicking on unknown links or files when using a corporate network, and check with IT departments before downloading anything new from the Internet. Moreover, a comprehensive combination of threat emulation and endpoint detection strategies also can defend against attacks such as SmugX, according to Check Point.

China's Mustang Panda Linked to SmugX Attacks on European Governments

You can't encrypt a file you can't open — Microsoft could dramatically impact ransomware by slowing it down.

Recently, I was at a private event on security by design. I explained that Microsoft could fix ransomware tomorrow, and was surprised that the otherwise well-informed people I was speaking to hadn't heard about this approach.

Ransomware works by going through files, one by one, and replacing their content with an encrypted version. (Sometimes it also sends copies elsewhere, but that turns out to be slow, and sometimes sets off alarms.) Software on Microsoft Windows uses an application programming interface (API) called "CreateFile" to access files. Somewhat confusingly, CreateFile not only creates files but is also the primary way to open them.

Microsoft should rate-limit the CreateFile() API. That is to say, it should limit how often a given program can use the API. Because you can't encrypt a file until you can open it, this would have a dramatic impact on ransomware. It would slow it down, and help defensive tools catch it in time for humans to react.

Now, I say Microsoft _should_ do this, and I hope it does.

Also, I made this suggestion to help show the complexity of maintaining compatibility. On the surface, it's very simple and elegant. In practice — and I say this as the person who drove the Autorun fix into Windows Update — there's going to be both practical complexities and concerns that we don't know what all the effects will be.

**What Rate Is Reasonable?**

The first question is, what rate is reasonable? Pick low and you break applications; pick high and you lessen the protective value. For a lot of cases, one open per second seems fine, but when we get to things like compilers, which are going to open a lot of files, we see that we may need both a general limit and allow bursts. When we get to backup software, it gets even more complicated. The backup software needs to open all the files, or at least all the changed files, which, if you think about it, is really similar to what ransomware wants to do. We can't allow an exception for read-only opens. The ransomware will open a file, encrypt the contents, write it to a new file or append it to a database, and delete the original.

So, Windows will probably need multiple rate limits. There will need to be a way to exempt programs (like compilers and backup tools), and maybe that needs to be issued globally, which means a process for software creators to get a special certificate. There needs to be logging and alerts created, tested, internationalized, etc. There'll need to be new GPOs (a tool used to administer Windows) created and documented. There needs to be a local way to allow more CreateFile calls for software that is locally developed or obscure, or whose makers are no longer around. We need to make sure that ransomware can't abuse those mechanisms. (On recent Macs, there's a complex process of reboots needed to make certain changes to the system; perhaps something similar is warranted?)

That last is tricky: The administrator has power, by design, and it's hard to limit that power. Even logging file opens would make it easier to see what software is opening lots of new files, and make it harder for ransomware to be stealthy. (And yes, there are too many alarms already.)

As long as we are not hyperfocused on the details, attackers change slowly. They still phish, through more and more channels. Over 20 years, break-ins have gone from abusing software that's listening on open ports to other problems. That was the result of a breaking change of turning the Windows Firewall on by default, in response to 2003's "summer of worms."

Hyrum's law states roughly that somebody will depend on every observable behavior of your system. And change becomes complex. The simple statement "Microsoft should rate-limit the CreateFile() API" is a can of worms.

Given the exceptional cost of ransomware today, I think that can of worms is worth opening. I think my former colleagues are up to the challenge.

Microsoft Can Fix Ransomware Tomorrow

The company's Confidential Data Search technique relies on confidential computing to keep data secure even while it is in use.

Fortanix is bringing hardware security technology to database search with Confidential Data Search, with the goal to help organizations process highly sensitive data in databases. Fortanix's technology uses confidential computing technologies to allow data to be searched within the hardware vault.

Various encryption schemes and technologies are used to protect data while at rest and while being transported between systems. Confidential computing provides layers of hardware protection so that data remains secure even while it is being processed. Data is stored in a secure hardware vault, authorized parties need a code to unlock the vault, and the data is processed inside without ever leaving the vault.

Advancements in chip technology have made it possible to build these secure vaults directly inside chips. The chip makers have also baked in hardware mechanisms called attestation, which ensures only authorized parties can access data in secure vaults.

Homomorphic encryption is typically used when banks and other large enterprises need to offer the ability to search the database without exposing the unencrypted information, because that scheme allows users to work directly on encrypted data without turning it into plaintext. However, that form of encryption may not be the best for some types of searches, says Richard Searle, vice president of confidential computing at Fortanix. He notes that homomorphic encryption search gets slower and complicated with complex query requests.

"You need to perform that search in plaintext, and the only way to do that is within the confidential computing trusted execution environment, where it is shielded from the outside, there's no human access, no external application access, no operating system access," Searle says. "You can run the query in the same way as you would in an unsecured world."

Searle also notes that in many cases, vendors using homomorphic encryption are working with nonstandard hardware — not off-the-shelf Intel Xeon CPUs or standard server blades.

Fortanix also supports Intel's Trust Domain Extension (TDX) module, which is a confidential computing technology suited for artificial intelligence (AI) applications. Companies can feed diverse information into secure vaults to enhance proprietary AI learning models. The third-party data set can be allowed to enter and exit the vault, with no information retained or stolen.

**Developing a Market for Confidential Computing

The market will have to prove Fortanix's technology, and the company will have to show a dramatic performance improvement or dramatic cost savings to gain a foothold, says James Sanders, principal analyst at CCS Insight.

"The technology behind this is secondary to the value it must demonstrate to enterprise buyers," he says.

But Fortanix is in a solid position to educate the market about confidential computing, which is still new.

"The maxim 'don't roll your own security' applies here, " Sanders says. "Banks and hospitals are not going to write their own \[confidential computing\] stacks, and a validated third-party option will help to increase the exposure and utilization of those confidential computing technologies."

The Fortanix technology can be implemented on-premises or in the cloud with some form of confidential computing hardware enablement, including Intel Secure Guard Extension (SGX) and AMD's SEV-SNP. A tool called Data Security Manager manages the confidential computing deployment.

"We handle all of the deployment of the database at the interface for you," Searle says. "You do not need to get involved in implementation. It is an automated deployment based on the policy controls within Data Security Manager."

**

Fortanix Builds Hardware Security Wall Around Plaintext Search

Some 340,000 FortiGate SSL VPN appliances remain exposed to the threat more than three weeks after Fortinet released firmware updates to address the issue.

Researchers have written exploit code for a critical remote code execution (RCE) vulnerability in Fortinet's FortiGate SSL VPNs that the vendor disclosed and patched in June 2023.

Bishop Fox's research team, which developed the exploit, has estimated there are some 340,000 affected FortiGate devices that are currently unpatched against the flaw and remain open to attack. That number is significantly higher than the 250,000 FortiGate devices that several researchers estimated were vulnerable to exploit when Fortinet first disclosed the flaw on June 12.

**Code Not Released Publicly — but There's a GIF**

"There are 490,000 affected \[FortiGate\] SSL VPN interfaces exposed on the internet, and roughly 69% of them are currently unpatched," Bishop Fox's director of capability development, Caleb Gross, wrote in a blog post on June 30. "You should patch yours now."

The heap-based buffer overflow vulnerability, tracked as CVE-2023-27997, affects multiple versions of FortiOS and FortiProxy SSL-VPN software. It gives an unauthenticated, remote attacker a way to execute arbitrary code on an affected device and take complete control of it. Researchers from French cybersecurity firm Lexfo who discovered the flaw assessed it as affecting every single SSL VPN appliance running FortiOS.

Bishop Fox has not released its exploit code publicly. But its blog post has a GIF of it in use. Gross described the exploit that Bishop Fox has developed as giving attackers a way to open an interactive shell they could use to communicate with an affected FortiGate appliance.

"This exploit very closely follows the steps detailed in the original blog post by Lexfo, though we had to take a few extra steps that were not mentioned in that post," Gross wrote. "The exploit runs in approximately one second, which is significantly faster than the demo video on a 64-bit device shown by Lexfo."

Fortinet issued firmware updates that addressed the issue on June 12. At the time, the company said the flaw affected organizations in government, manufacturing and other critical infrastructure sectors. Fortinet said it was aware of an attacker exploiting the vulnerability in a limited number of cases.

Fortinet cautioned about the potential for threat actors like those behind the Volt Typhoon cyber-espionage campaign to abuse CVE-2023-27997. Volt Typhoon is a China-based group that is believed to have established persistent access on networks belonging to US telecom companies and other critical infrastructure organizations, for stealing sensitive data and carrying out other malicious actions. The campaign so far has primarily used another, older Fortinet flaw (CVE-2022-40684) for initial access. But organizations should not discount the possibility of Volt Typhoon — and other threat actors — using CVE-2023-27997 either, Fortinet warned.

**Why Security Appliances Make Popular Targets**

CVE-2023-27997 is one of numerous critical Fortinet vulnerabilities that have been exposed. Like that of almost every other firewall and VPN vendor, Fortinet's appliances are a popular target for adversaries because of the access they provide to enterprise networks.

The US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and others have issued multiple advisories in recent years about the need for organizations to promptly address vulnerabilities in these and other network devices because of the high attacker interest in them.

In June 2022, for instance, CISA warned of China-sponsored threat actors actively targeting unpatched vulnerabilities in network devices from a wide range of vendors. The advisory included a list of the most common of these vulnerabilities. The list included vulnerabilities in products from Fortinet, Cisco, Citrix, Netgear, Pulse, QNAP, and Zyxel.

Systems administrators should patch as quickly as possible, even though patching firmware can be a bit more cumbersome when dealing with appliances that run application gateways, says Timothy Morris, chief security adviser at Tanium. Often, appliances such as those from Fortinet face the perimeter and have very high-availability requirements, meaning they have tight windows for change.

"For most organizations, a certain amount of downtime is probably inevitable," Morris says. Vulnerabilities such as CVE-2023-27997 require the full firmware image to be reloaded, so there is a certain amount of time and risk involved, he adds. "Configurations have to be backed up and restored to make sure they are working as expected."

Researchers Develop Exploit Code for Critical Fortinet VPN Bug

Attribution for the cyberattack on Dozor-Teleport remains murky, but the effects are real — downed communications and compromised data.

Russian satellite Internet provider Dozor-Teleport was knocked offline in the early hours of June 29, dealing a communications blow to the company's customers, which according to reports include Russian military and energy interests.

The Wagner Group, the mercenary army once fighting for Russia, and now seemingly turned against Putin's government, claimed it was behind the cyberattack against the satellite communications provider. But experts aren't convinced.

Russian reports say full recovery of Dozor-Teleport could take up to two weeks. The company's general director Alexander Anosov confirmed the breach to Russian media, adding that early investigations show the company was breached through a third-party cloud provider.

The threat actors behind the compromise explained on Telegram they were able to deliver malware to several satellite terminals to take them offline, reports said. For additional proof, the threat actors posted internal data stolen from the Dozor-Teleport network.

"The whole world watched our actions, listened to our every word. We showed how easily we can reach Moscow in a day without meeting any resistance," the cyber attackers said in their Telegram message.

The reference seems to add to the narrative that the cyberattack was launched by Wagner Group, which, under the command of the now-exiled Yevgeny Prigozhin, marched on Moscow in protest of the Putin government's execution of the Russian invasion of Ukraine.

**Was This a False Flag?**

But the Wagner Group's Telegram channel has made no mention of the cyberattacks so far, according to reports on the incident.

Cybersecurity and international relations expert Oleg Shakirov has been monitoring the breach and assessed in a June 29 tweet that "Wagner's involvement is very unlikely."

He instead suspects the Dozor-Teleport compromise is the work of the Ukrainian military. "Some Russian websites have also been defaced presumably on behalf of Wagner (disgruntled that Russia didn't fulfill its part of the bargain)," Shakirov added. "But again this looks like Ukrainian false flag trolling."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Russian Satellite Internet Downed via Attackers Claiming Ties to Wagner Group

Israel's cyber head points finger at Iran-backed MuddyWater APT group as the perpetrator of a recent attack against a university.

Israel earlier this year aided the United Arab Emirates (UAE) in helping repel a major distributed denial-of-service (DDoS) attack.

Speaking at last week's Cyber Week in Tel Aviv, UAE head of cybersecurity Mohamed Al Kuwaiti said that attacks "continuously come and go" and praised the Abraham Accords, which were ratified in 2020 to strengthen Middle East relations. "Thank God for the partnership, with the relationship that we have; it helped us elevate as well as to prepare an early warning system," he said.

According to Jewish Press, Gaby Portnoy, director general of the Israel National Cyber Directorate, joined Al Kuwaiti onstage at the conference, as did national cyber representatives from Bahrain, Morocco, and the US.

Al Kuwaiti noted that "cybersecurity is an important aspect for us all" and that many of Israel's startups are "helping us as a matter of fact to build up that cyber dome or to extend that cyber dome to defend against cyberattacks," a report by All Israel said.

The DDoS attack declaration by Al Kuwaiti came in the same week as a formal announcement was made to increase intelligence sharing between the UAE and Israel with the so-called Crystal Ball project, a partnership between Israel and the UAE's cyber teams and backed by private industry. Crystal Ball is intended to detect and repel hackers via collaboration and knowledge sharing around national-level cyberthreats.

"It is a well-known fact that criminal gangs are working together to victimize individuals and companies, any improvements in international cooperation between nation-states to tackle these threats is a welcome move," says Brian Honan, CEO of BH Consulting.

**No Clarity in MuddyWater?**

At CyberWeek, Portnoy reportedly mentioned cyberattacks the group MuddyWater initiated against Israel. He said the MuddyWater group has ties to Iran's Islamic Revolutionary Guard Corps (IRGC), and blamed it for a cyberattack against the Technion Institute of Technology in Haifa. Technion was forced to disconnect its systems to prevent security damage and lose data.

According to a new blog from Deep Instinct's Simon Kenin, a custom-made command and control server was detected in the attack against Technion, and MuddyWater have been using that server since 2021.

"The group doesn't just work against Israel, but rather also hacks civilian targets in many other countries, including Turkey, Saudi Arabia, Egypt, Morocco, India, Bahrain, Oman, Kuwait, and others," Portnoy said.

The MuddyWater group has previously been linked to spear phishing campaigns against employees of Middle East telecom operators, as well as with cyber surveillance activities.

Source

DARKReading